search

arkadiyt / aws_public_ips

Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services
MIT License
634 stars 89 forks source link

Misses public ips used by NAT Gateways. #29

Closed breser closed 5 years ago

breser commented 5 years ago

It misses NAT gateways (which have largely replaced NAT instances now). NAT gateways do not appear as EC2 instances. They can be scanned by specifically looking for NAT gateways via DescribeNatGateways. However, I'd suggest using the DescribeAddresses API to query all Elastic IP Addresses: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html

You can filter out EC2 instances by skipping any Elastic IP that has an Instance ID provided. I'd suggest keeping the existing EC2 scanning code because it let's you show ips associated with the instance using them with the verbose option. For elastic ips I'd suggest showing them associated with the network interface they are attached to. Sadly this is more abstracted from what people are using them for but it's the best you can do without writing a ton of code for each use that isn't an EC2 instance.

You can filter out unused elastic ips by looking for empty network interface or association ids. It may be worth having an option that let's you see the out of use ips too.

I haven't specifically tested this but I suspect that by not scanning DescribeAddresses you actually miss Fargate containers with public ips attached because they don't show up as EC2 instances despite your documentation mentioning that you'd find Fargate via EC2. Which is part of the reason I suggest this path.

0xdabbad00 commented 5 years ago

I recently added support to CloudMapper for ECS and I used aws ec2 describe-network-interfaces to find their IPs. See https://github.com/duo-labs/cloudmapper/blob/6922f8284e95941f9c97dc0700be8baf680cf08a/shared/nodes.py#L572

breser commented 5 years ago

Seems that excluding NAT Gateways may have been on purpose, see: https://github.com/arkadiyt/aws_public_ips/blob/master/lib/aws_public_ips/checks/ec2.rb#L15-L16

breser commented 5 years ago

I recently added support to CloudMapper for ECS and I used aws ec2 describe-network-interfaces to find their IPs. See https://github.com/duo-labs/cloudmapper/blob/6922f8284e95941f9c97dc0700be8baf680cf08a/shared/nodes.py#L572

Yeah scanning for network interfaces works as well, that would also exclude unused ips.

arkadiyt commented 5 years ago

Seems that excluding NAT Gateways may have been on purpose, see: https://github.com/arkadiyt/aws_public_ips/blob/master/lib/aws_public_ips/checks/ec2.rb#L15-L16

That's correct - the idea of this tool is to find exposed IPs that might have vulnerabilities / lead to unintentional access / etc, and since the NAT Gateways are managed by AWS and don't allow ingress traffic I excluded them. Could you let me know what your use case for seeing those is?

breser commented 4 years ago

That's a reasonable reason to exclude these. My use cases matches what you describe I don't need this.